]]>Cisco ASA FirePOWER module can be configured in promiscuous monitor-only mode also known as passive mode. As the name suggests, in passive mode the Cisco ASA FirePOWER module does nothing to the traffic passes through it. Rather the ASA just forwards a copy of the packet to Cisco ASA FirePOWER module.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in Promiscuous monitor-only (passive) mode

Figure 1.1 – ASA FirePOWER Module in promiscuous monitor-only mode

Suppose Host A sent a traffic to host B, it will go through the following process

Traffic sent from Host A is received by an Outside interface of the ASA Firewall

Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.

Firewall policies are applied to the decrypted traffic.

If the received traffic is complaint and allowed by the ASA policies them a copy traffic is sent to the ASA FirePOWER module. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module can be configured to send an alert to Network Security Administrator, however it cannot take any action to stop the malicious or non-complainant traffic.

Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back

The processed traffic is then forwarded to respective interface, in this case its an Inside interface.

One can see the real benefit of Cisco ASA FirePOWER module in Inline mode, as the Promiscuous monitor-only (passive) mode has no capability to take any action on an infected or non-complaint traffic. Rather it might be useful for POCs and even good for capacity planning for any new deployments.

]]>http://itknowledgeexchange.techtarget.com/network-technologies/cisco-asa-firepower-deployment-options-series-2/feed/0Cisco ASA Firewalls can be exploited by sending crafted UDP packetshttp://itknowledgeexchange.techtarget.com/network-technologies/cisco-asa-firewalls-can-exploited-sending-crafted-udp-packets/
http://itknowledgeexchange.techtarget.com/network-technologies/cisco-asa-firewalls-can-exploited-sending-crafted-udp-packets/#respondThu, 11 Feb 2016 20:14:58 +0000http://itknowledgeexchange.techtarget.com/network-technologies/?p=2203Yesterday I received an email from Cisco Security Advisories about the critical vulnerability related IKE version 1 and IKE version 2 code of ASA Software which could empower an unauthenticated remote attacker to reload or even execute a code remotely on a affected ASA firewall. Those who are terminating their VPN tunnels by using either...

]]>Yesterday I received an email from Cisco Security Advisories about the critical vulnerability related IKE version 1 and IKE version 2 code of ASA Software which could empower an unauthenticated remote attacker to reload or even execute a code remotely on a affected ASA firewall.

Those who are terminating their VPN tunnels by using either IKEv1 or IKEv2 for any of the following VPN tunnels

LAN-to-LAN IPsec VPN

Remote access VPN using the IPsec VPN client

Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections

IKEv2 AnyConnect

They should immediately check if their ASAs are affected. If so then they should upgrade the ASA, as there is not other fix from Cisco

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system

Following versions of IOS are affected , one should upgrade immediately to the recommended IOS version

]]>http://itknowledgeexchange.techtarget.com/network-technologies/cisco-asa-firewalls-can-exploited-sending-crafted-udp-packets/feed/0How to configure Site-to-Site IPSec VPN on Cisco Routers? – Series 2http://itknowledgeexchange.techtarget.com/network-technologies/configure-site-site-ipsec-vpn-cisco-routers-series-2/
http://itknowledgeexchange.techtarget.com/network-technologies/configure-site-site-ipsec-vpn-cisco-routers-series-2/#respondMon, 28 Dec 2015 04:12:41 +0000http://itknowledgeexchange.techtarget.com/network-technologies/?p=2074In my previous post we talked briefly about IPSec. We will be using the below topology for our set up. The whole topology was built using Cisco VIRL , in the above example we will built a Site-to-Site IPSec VPN between Router R1 and R2 and allow the communication between R1 Lan Subnet 192.168.1.0 to...

]]>In my previous post we talked briefly about IPSec. We will be using the below topology for our set up.

The whole topology was built using Cisco VIRL , in the above example we will built a Site-to-Site IPSec VPN between Router R1 and R2 and allow the communication between R1 Lan Subnet 192.168.1.0 to R2 Lan Subnet 10.10.2.0.

Before starting make sure you have reachability to peer routers, i.e you can ping R2 WAN IP 2.2.2.2 from R1 and vice versa

Step 1: Configure an Interesting traffic which you want to encrypt on the public domain using the ACL.

R1

ip access-list extended VPN-ACL

permit ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

R2

ip access-list extended VPN-ACL

permit ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 2 : Configure NAT exemption ( If you are using NAT on the Routers for internet access then this step is must, if you not using NAT then you can skip this step and proceed to step 4.). Basically we use ACLs to exclude the NATing for the VPN traffic passing through VPN tunnel from Site 1 to Site 2

R1

ip access-list extended NO-NAT-ACL

deny ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

R2

ip access-list extended NO-NAT-ACL

deny ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.2.0 0.0.0.255 any

Step 3: Configure the NAT on both the routers and enable the NAT functionality ( Use this step if step 2 was configured if not proceed to step 4)

By following above steps one can configure Site-to-Site IP Sec VPN. Now lets try verify if the IPSEC tunnel is established between Site 1 and Site 2

The most important command to verify the Security Association establishment between two router is use “show crypto isakmp sa”

We could see from the above output the Security Association is not established , why is this so?

Unless the traffic is not initiated from either of site the SA will never come up, let try to ping Site 1 IP 192.168.1.1 from R2 sourcing its Lan network

After initiating the traffic we could SA is established , the state QM_IDLE and status : ACTIVE are very important parameters, these two parameters ensure the IPSec tunnel is established successfully.

One more verification command “show crypto ipsec sa” verifies and reports weather the data transmitted over the tunnel is encrypted and decrypted

The above output ensures that both encryption and decryption is occurring over the tunnel and our traffic is safe over the internet. If some one wants the VIRL topology they can ping me I can email the VIRL topology file by email.

]]>http://itknowledgeexchange.techtarget.com/network-technologies/configure-site-site-ipsec-vpn-cisco-routers-series-2/feed/0How to configure Site-to-Site IPSec VPN on Cisco Routers? – Series 1http://itknowledgeexchange.techtarget.com/network-technologies/configure-site-site-ipsec-vpn-cisco-routers-series-1/
http://itknowledgeexchange.techtarget.com/network-technologies/configure-site-site-ipsec-vpn-cisco-routers-series-1/#respondSun, 27 Dec 2015 17:26:42 +0000http://itknowledgeexchange.techtarget.com/network-technologies/?p=2071IPSec is the protocol one can use to establish a Site-to-Site VPN , as it is widely used because its an open standard protocol which offers secure and encrypted communication over the public internet domain. IPSec works at Network later and only pass unicast traffic. I will brief you all about how IPSec works IPSEC...

]]>IPSec is the protocol one can use to establish a Site-to-Site VPN , as it is widely used because its an open standard protocol which offers secure and encrypted communication over the public internet domain. IPSec works at Network later and only pass unicast traffic. I will brief you all about how IPSec works

]]>http://itknowledgeexchange.techtarget.com/network-technologies/configure-site-site-ipsec-vpn-cisco-routers-series-1/feed/0Palo Alto Network Firewall Architecture – Know howhttp://itknowledgeexchange.techtarget.com/network-technologies/palo-alto-network-firewall-architecture-know-how/
http://itknowledgeexchange.techtarget.com/network-technologies/palo-alto-network-firewall-architecture-know-how/#respondThu, 03 Sep 2015 05:43:55 +0000http://itknowledgeexchange.techtarget.com/network-technologies/?p=1776Palo Alto takes a good approach in designing the architecture for their next generation firewalls. Palo Alto offers processors dedicated to security function that work in parallel. Palo Alto firewall contains separate Control Plane and Data Plane. By separating them Palo Alto is ensuring that each plane runs independently and they do have dedicated processors,...

]]>Palo Alto takes a good approach in designing the architecture for their next generation firewalls. Palo Alto offers processors dedicated to security function that work in parallel.

Palo Alto firewall contains separate Control Plane and Data Plane. By separating them Palo Alto is ensuring that each plane runs independently and they do have dedicated processors, memory and hard drives. Some of the high end firewall comes with 2 to 6 core CPU dedicated either in Data Plane or Control Plane. You can read the product specifications for more details.

Control Plane is used for management of Palo Alto firewalls, and it provides configuration, logging reporting and route updates

Date Plane consists of three type of processor that are connected by high speed 1 Gbps busses are extensively used by Signature Processor, Security Processor and Network Processor